[PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation

Next message: Markus Probst via B4 Relay: "[PATCH v13 0/2] Introduce Synology Microp driver"
Previous message: SeongJae Park: "[RFC PATCH] MAINTAINERS: add ABI documents for mm"
In reply to: hongao: "[PATCH] netfs: Fix UAF in netfs_unbuffered_write() on failed preparation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: hongao

Date: Fri May 29 2026 - 21:22:16 EST

If write subrequest preparation fails, netfs_unbuffered_write() calls
netfs_write_subrequest_terminated() and then reads subreq->error to set
wreq->error.

However, netfs_write_subrequest_terminated() consumes a reference to the
subrequest through netfs_put_subrequest(), so the subrequest may be freed
before netfs_unbuffered_write() reads subreq->error again. This can
trigger a slab-use-after-free.

Save the error locally before terminating the subrequest, and use the
saved value afterwards.

Fixes: a0b4c7a49137 ("netfs: Fix unbuffered/DIO writes to dispatch subrequests in strict sequence")
Reported-by: syzbot+3c74b1f0c372e98efc32@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=3c74b1f0c372e98efc32

Signed-off-by: hongao <hongao@xxxxxxxxxxxxx>
---
fs/netfs/direct_write.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 25f8ceb15fad..2d5361702076 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -115,8 +115,9 @@ static int netfs_unbuffered_write(struct netfs_io_request *wreq)

/* Check if (re-)preparation failed. */
if (unlikely(test_bit(NETFS_SREQ_FAILED, &subreq->flags))) {
- netfs_write_subrequest_terminated(subreq, subreq->error);
- wreq->error = subreq->error;
+ ret = subreq->error;
+ wreq->error = ret;
+ netfs_write_subrequest_terminated(subreq, ret);
break;
}

--
2.51.0